mirror of
https://github.com/stack-auth/stack.git
synced 2026-06-21 21:09:49 +08:00
f7e389809e
Some checks failed
all-good: Did all the other checks pass? / all-good (push) Has been cancelled
Ensure Prisma migrations are in sync with the schema / check_prisma_migrations (22.x) (push) Has been cancelled
DB migration compat / Check if migrations changed (push) Has been cancelled
Docker Server Build and Push / Docker Build and Push Server (push) Has been cancelled
Docker Server Build and Run / docker (push) Has been cancelled
Runs E2E API Tests (Local Emulator) / E2E Tests (Local Emulator, Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (mock, 22.x) (push) Has been cancelled
Runs E2E API Tests / E2E Tests (Node ${{ matrix.node-version }}, Freestyle ${{ matrix.freestyle-mode }}) (prod, 22.x) (push) Has been cancelled
Runs E2E API Tests with custom port prefix / build (22.x) (push) Has been cancelled
Runs E2E Fallback Tests / E2E Fallback Tests (Node ${{ matrix.node-version }}) (22.x) (push) Has been cancelled
Lint & build / lint_and_build (24) (push) Has been cancelled
TOC Generator / TOC Generator (push) Has been cancelled
DB migration compat / Back-compat — Current branch migrations with ${{ needs.check-migrations-changed.outputs.base_branch }} branch code (push) Has been cancelled
DB migration compat / Forward-compat — Current branch code with ${{ needs.check-migrations-changed.outputs.base_branch }} branch migrations (push) Has been cancelled
DB migration compat / No migration changes (skipped) (push) Has been cancelled
## Summary
**Stacked on #1468** (`docs/hexclave-rename-plan` — the plan doc). Diff
vs that base = the actual PR 1 code.
This is **PR 1 of the Hexclave rebrand: the invisible compatibility
layer**. Everything is additive. Old SDKs, old wire identifiers, and old
env var names keep working unchanged. The backend dual-accepts and
dual-emits; new SDK code emits `x-hexclave-*` headers and the
`hexclave_` Bearer prefix; cookies dual-write; env vars dual-read across
every category. **No user-visible rebranding lands here** — that's PR 2.
See [`RENAME-TO-HEXCLAVE.md`](./RENAME-TO-HEXCLAVE.md) → *"PR 1
implementation guide"* for the full per-work-area spec, file pointers,
and chosen approach.
## What's implemented (all 14 PR-1 work-areas)
- **SDK export aliases** — `Hexclave*` aliases for the user-facing
`Stack*` exports added in `packages/template`; codegen propagates them
to `@stackframe/{js,stack,react,tanstack-start}`. React-only aliases
correctly excluded from `@stackframe/js`. (`e60550a2`)
- **JWT issuer dual-accept** — `decodeAccessToken` accepts both
`api.stack-auth.com` and `api.hexclave.com` issuers. Signing unchanged.
(`fc781def`)
- **Request-header dual-accept** — backend + dashboard proxies normalize
`x-hexclave-*` → `x-stack-*` at the existing empty proxy hook (so
`smart-request.tsx` and every route schema keep working unchanged); CORS
allowlists extended via a derive-once helper. (`2a056eac`)
- **MCP `ask_hexclave`** — registered alongside `ask_stack_auth` via a
shared helper; `ask_stack_auth` behavior byte-identical. (`30ffd604`)
- **Dev-tool** — DOM ids + header emit switched.
`window.HexclaveDevTool` exposed alongside `window.StackDevTool`.
(`32131ea7`)
- **The big consolidated commit** (`7fed864a`):
- **Env vars** — central `getEnvVariable` prefix-transform (HEXCLAVE
first, STACK fallback); dashboard + template client env files dual-read;
`turbo.json` globalEnv; `NEXT_PUBLIC_STACK_PORT_PREFIX` renamed outright
across ~82 files including docker.
- **Cookies** — dual-write/dual-read auth (`stack-access`/`-refresh-*`
and custom-domain variants), OAuth-state
(`stack-oauth-{inner,outer}-*`), and low-risk cookies (`stack-is-https`,
`stack-last-seen-changelog-version`). Bypass sites patched (backend
OAuth callback, dashboard remote-dev auth route, impersonation snippets,
snapshot serializer).
- **Bearer prefix** — SDK token parser accepts both `stackauth_` and
`hexclave_`; emits `hexclave_`. Discovery correction: this is purely
SDK-internal — the backend never parses it.
- **Response headers** — backend dual-emits
`x-hexclave-{request-id,actual-status,known-error}`; SDKs dual-read (new
first, stack fallback).
- **SDK request-header emit switch** —
`client/server/admin-interface.ts` + dashboard `api-headers.ts` +
`internal-project-headers.ts` + `feedback-form.tsx` switched to
`x-hexclave-*`. Plus `stack_response_mode` query param.
- **Storage keys** — dev-tool / cli-auth / oauth-button / docs keys
renamed (straight); `stack:session-replay:v1` dual-read so in-progress
recordings survive SDK upgrades; `stack_mfa_attempt_code` dual-read.
- **Query params** — cross-domain params dual-emit/dual-accept via
shared helpers; backend `oauth/authorize` accepts
`hexclave_response_mode` and `stack_response_mode`; `stack-init-id`
renamed.
- **`Symbol.for`** — app-internals symbol gets a parallel
`Symbol.for("Hexclave--app-internals")` getter on each attach site (no
read-site churn — old symbol still attached). 3 file-private symbols
renamed outright.
- **Config discovery** — prefer `hexclave.config.ts`, fall back to
`stack.config.ts` at every discovery site (CLI / dashboard / backend /
local-emulator); `init` writes the new filename; CLI credentials path
migrates.
- **Internal renames** — `StackAssertionError`,
`StackClient/Server/AdminInterface` renamed outright (no alias, per the
"internal-only → rename" rule). ~264 files touched.
- **Review-pass fixes** (`21217fbe`) — three real bugs found by parallel
review agents and fixed:
- `snapshot-serializer.ts` was interpolating the whole
`keyedCookieNamePrefixes` array (`${arr}`) — adding a second prefix
would have corrupted **every** OAuth-cookie snapshot, not just new ones.
- **Docker port-prefix producer/consumer mismatch** —
`entrypoint.sh`/`run-emulator.sh`/cloud-init `user-data` were still
producing `NEXT_PUBLIC_STACK_PORT_PREFIX` while the dashboard sentinel +
consumers had been renamed; silent self-host regression (custom port
prefix would be ignored).
- **Missing `hexclave-oauth-inner-*` dual-write** in the OAuth authorize
route — callback's fallback masked it but the dual-write was specified
by the plan.
- Plus: `mcp.test.ts` tool-list assertions updated to include
`ask_hexclave`; two dashboard header-emit sites switched to
`x-hexclave-*` for consistency.
- **E2E snapshot serializer follow-up** (`4b16cc5d`) —
`x-hexclave-request-id` added to the hidden-headers list (mirroring
`x-stack-request-id` treatment), and 2 sample inline snapshots
regenerated in `projects.test.ts` to include the new dual-emitted
headers.
## Verification
- **`pnpm typecheck`** — clean (the fresh-worktree `@/.source` / Prisma
codegen gap in `stack-docs` is pre-existing and unrelated).
- **`pnpm lint`** — 29/29 packages green.
- **`pnpm exec turbo run build --filter=./packages/*`** — 13/13 packages
build (including `@stackframe/stack-cli` once the dashboard standalone
is present).
- **Live E2E** against a running backend on `cl/hexclave-pr1`:
- `pnpm test run
apps/e2e/tests/backend/endpoints/api/v1/internal/mcp.test.ts` — **6/6
pass** (verifies the new `ask_hexclave` tool — the hand-written inline
snapshot matched actual MCP server output).
- `pnpm test run
apps/e2e/tests/backend/endpoints/api/v1/internal/projects.test.ts` —
**11/11 pass** (verifies wire dual-accept + dual-emit end-to-end; the
snapshot serializer fix was found and applied during this check).
A four-agent parallel **review pass** also audited the full diff for
logic/runtime bugs across the work-areas (wire headers + JWT, cookies +
bearer + symbols, env vars, query params + config + MCP + aliases). All
in-slice review verdicts were ✓ except the three bugs listed above,
which are now fixed.
## Known follow-ups (out of scope for this PR)
- **E2E snapshots across the rest of the suite** — backend now
dual-emits `x-hexclave-{known-error,actual-status}` alongside
`x-stack-*`, which legitimately appears in inline snapshots throughout
`apps/e2e`. Two were regenerated here as a sample; the rest should regen
with `vitest -u` in CI.
- **Docker shell env vars beyond `PORT_PREFIX`** — `entrypoint.sh` still
reads `STACK_*` env vars directly (the JS-side `getEnvVariable`
transform doesn't help the shell). JS consumers dual-read so it works in
practice; full shell-level dual-read is a deeper self-host follow-up.
- **`@stackframe/stack-cli` build ordering** — pre-existing; needs
`build:rde-standalone` first. Not affected by this PR.
## Test plan
- [ ] CI runs full e2e suite (with `vitest -u` to absorb dual-emit
snapshot deltas, then committed back)
- [ ] Spot-check: an old SDK build (emitting only `x-stack-*`) still
authenticates against the new backend
- [ ] Spot-check: a new SDK (emitting `x-hexclave-*` / `Bearer
hexclave_*`) still authenticates against an old backend during deploy
ordering
- [ ] Manual: `npx @stackframe/stack-cli@latest init` (new onboarding
entrypoint) generates `hexclave.config.ts`
- [ ] Manual: existing `stack.config.ts`-only project still resolves (no
migration required)
---------
Co-authored-by: bilal <bilal@stack-auth.com>
679 lines
25 KiB
TypeScript
679 lines
25 KiB
TypeScript
import { it } from "../helpers";
|
|
import { createApp } from "./js-helpers";
|
|
|
|
const signIn = async (clientApp: any) => {
|
|
await clientApp.signUpWithCredential({
|
|
email: "test@test.com",
|
|
password: "password",
|
|
verificationCallbackUrl: "http://localhost:3000",
|
|
});
|
|
await clientApp.signInWithCredential({
|
|
email: "test@test.com",
|
|
password: "password",
|
|
});
|
|
};
|
|
|
|
// Hexclave rebrand: accept either the legacy `stackauth_` prefix or the new `hexclave_` one.
|
|
const STACK_AUTHORIZATION_VALUE_PREFIX = "stackauth_";
|
|
const HEXCLAVE_AUTHORIZATION_VALUE_PREFIX = "hexclave_";
|
|
|
|
function parseAuthorizationHeaderValue(value: string): { accessToken: string | null, refreshToken: string | null } {
|
|
const bearerMatch = value.match(/^Bearer\s+(.+)$/i);
|
|
if (bearerMatch == null) {
|
|
throw new Error(`Invalid authorization header format: ${value}`);
|
|
}
|
|
|
|
const credential = bearerMatch[1];
|
|
const matchedPrefix = credential.startsWith(HEXCLAVE_AUTHORIZATION_VALUE_PREFIX) ? HEXCLAVE_AUTHORIZATION_VALUE_PREFIX
|
|
: credential.startsWith(STACK_AUTHORIZATION_VALUE_PREFIX) ? STACK_AUTHORIZATION_VALUE_PREFIX
|
|
: null;
|
|
if (matchedPrefix == null) {
|
|
throw new Error(`Invalid authorization credential (expected stackauth_/hexclave_ prefix): ${credential}`);
|
|
}
|
|
|
|
const encodedAuthJson = credential.slice(matchedPrefix.length);
|
|
if (encodedAuthJson.length === 0) {
|
|
throw new Error("Missing encoded auth payload.");
|
|
}
|
|
|
|
const decodedAuthJson = Buffer.from(encodedAuthJson, "base64").toString("utf8");
|
|
const parsed: unknown = JSON.parse(decodedAuthJson);
|
|
if (parsed == null || typeof parsed !== "object" || Array.isArray(parsed)) {
|
|
throw new Error("Decoded authorization payload must be an object.");
|
|
}
|
|
|
|
const accessToken = Reflect.get(parsed, "accessToken");
|
|
const refreshToken = Reflect.get(parsed, "refreshToken");
|
|
if (accessToken != null && typeof accessToken !== "string") {
|
|
throw new Error("Decoded authorization payload contains invalid accessToken.");
|
|
}
|
|
if (refreshToken != null && typeof refreshToken !== "string") {
|
|
throw new Error("Decoded authorization payload contains invalid refreshToken.");
|
|
}
|
|
|
|
return {
|
|
accessToken: accessToken ?? null,
|
|
refreshToken: refreshToken ?? null,
|
|
};
|
|
}
|
|
|
|
// ============================================
|
|
// version tests
|
|
// ============================================
|
|
|
|
it("clientApp.version should return a valid version string", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
expect(clientApp.version).toBeDefined();
|
|
expect(typeof clientApp.version).toBe("string");
|
|
expect(clientApp.version).toMatch(/^js @stackframe\/js@\d+\.\d+\.\d+/);
|
|
});
|
|
|
|
it("serverApp.version should return the same version as clientApp", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
expect(serverApp.version).toBe(clientApp.version);
|
|
});
|
|
|
|
// ============================================
|
|
// getAccessToken / getRefreshToken tests
|
|
// ============================================
|
|
|
|
it("clientApp.getAccessToken should return access token when signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const accessToken = await (clientApp as any).getAccessToken();
|
|
expect(accessToken).toBeDefined();
|
|
expect(typeof accessToken).toBe("string");
|
|
});
|
|
|
|
it("clientApp.getAccessToken should return null when not signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
|
|
const accessToken = await (clientApp as any).getAccessToken();
|
|
expect(accessToken).toBeNull();
|
|
});
|
|
|
|
it("clientApp.getRefreshToken should return refresh token when signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const refreshToken = await (clientApp as any).getRefreshToken();
|
|
expect(refreshToken).toBeDefined();
|
|
expect(typeof refreshToken).toBe("string");
|
|
});
|
|
|
|
it("clientApp.getRefreshToken should return null when not signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
|
|
const refreshToken = await (clientApp as any).getRefreshToken();
|
|
expect(refreshToken).toBeNull();
|
|
});
|
|
|
|
it("clientApp.getAccessToken should work with tokenStore option", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const accessToken = await (clientApp as any).getAccessToken({ tokenStore: "memory" });
|
|
expect(accessToken).toBeDefined();
|
|
expect(typeof accessToken).toBe("string");
|
|
});
|
|
|
|
it("clientApp.getRefreshToken should work with tokenStore option", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const refreshToken = await (clientApp as any).getRefreshToken({ tokenStore: "memory" });
|
|
expect(refreshToken).toBeDefined();
|
|
expect(typeof refreshToken).toBe("string");
|
|
});
|
|
|
|
// ============================================
|
|
// user.getAccessToken / user.getRefreshToken tests
|
|
// ============================================
|
|
|
|
it("user.getAccessToken should return access token", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" }) as any;
|
|
const accessToken = await user.getAccessToken();
|
|
expect(accessToken).toBeDefined();
|
|
expect(typeof accessToken).toBe("string");
|
|
});
|
|
|
|
it("user.getRefreshToken should return refresh token", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" }) as any;
|
|
const refreshToken = await user.getRefreshToken();
|
|
expect(refreshToken).toBeDefined();
|
|
expect(typeof refreshToken).toBe("string");
|
|
});
|
|
|
|
// ============================================
|
|
// currentSession.getTokens tests
|
|
// ============================================
|
|
|
|
it("user.currentSession.getTokens should return both tokens", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" });
|
|
const tokens = await user.currentSession.getTokens();
|
|
expect(tokens).toBeDefined();
|
|
expect(tokens.accessToken).toBeDefined();
|
|
expect(tokens.refreshToken).toBeDefined();
|
|
expect(typeof tokens.accessToken).toBe("string");
|
|
expect(typeof tokens.refreshToken).toBe("string");
|
|
});
|
|
|
|
// ============================================
|
|
// Consistency tests - ensure all methods return consistent values
|
|
// ============================================
|
|
|
|
it("clientApp token methods should return consistent values", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const accessToken = await (clientApp as any).getAccessToken();
|
|
const refreshToken = await (clientApp as any).getRefreshToken();
|
|
const authJson = await clientApp.getAuthJson();
|
|
|
|
expect(accessToken).toBe(authJson.accessToken);
|
|
expect(refreshToken).toBe(authJson.refreshToken);
|
|
});
|
|
|
|
it("user token methods should return consistent values", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" }) as any;
|
|
|
|
const accessToken = await user.getAccessToken();
|
|
const refreshToken = await user.getRefreshToken();
|
|
const authJson = await user.getAuthJson();
|
|
const sessionTokens = await user.currentSession.getTokens();
|
|
|
|
// All methods should return consistent tokens
|
|
expect(accessToken).toBe(authJson.accessToken);
|
|
expect(refreshToken).toBe(authJson.refreshToken);
|
|
expect(accessToken).toBe(sessionTokens.accessToken);
|
|
expect(refreshToken).toBe(sessionTokens.refreshToken);
|
|
});
|
|
|
|
it("clientApp and user token methods should match", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" }) as any;
|
|
|
|
// Compare getAccessToken results
|
|
const appAccessToken = await (clientApp as any).getAccessToken();
|
|
const userAccessToken = await user.getAccessToken();
|
|
expect(appAccessToken).toBe(userAccessToken);
|
|
|
|
// Compare getRefreshToken results
|
|
const appRefreshToken = await (clientApp as any).getRefreshToken();
|
|
const userRefreshToken = await user.getRefreshToken();
|
|
expect(appRefreshToken).toBe(userRefreshToken);
|
|
});
|
|
|
|
// ============================================
|
|
// Token validation tests - verify tokens actually work for authentication
|
|
// ============================================
|
|
|
|
it("access and refresh tokens should work for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
// Get tokens from signed-in user
|
|
const accessToken = await (clientApp as any).getAccessToken();
|
|
const refreshToken = await (clientApp as any).getRefreshToken();
|
|
|
|
expect(accessToken).toBeDefined();
|
|
expect(refreshToken).toBeDefined();
|
|
|
|
// Create a new server app using these tokens
|
|
const serverUser = await serverApp.getUser({ tokenStore: { accessToken: accessToken!, refreshToken: refreshToken! } });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
});
|
|
|
|
it("currentSession.getTokens should return tokens that work for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" });
|
|
const tokens = await user.currentSession.getTokens();
|
|
|
|
expect(tokens.accessToken).toBeDefined();
|
|
expect(tokens.refreshToken).toBeDefined();
|
|
|
|
// Create a new server app using these tokens
|
|
const serverUser = await serverApp.getUser({ tokenStore: { accessToken: tokens.accessToken!, refreshToken: tokens.refreshToken! } });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
});
|
|
|
|
it("getAuthJson should return tokens that work for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authJson = await clientApp.getAuthJson();
|
|
|
|
expect(authJson.accessToken).toBeDefined();
|
|
expect(authJson.refreshToken).toBeDefined();
|
|
|
|
// Create a new server app using these tokens
|
|
const serverUser = await serverApp.getUser({ tokenStore: authJson as { accessToken: string, refreshToken: string } });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
});
|
|
|
|
it("getAuthorizationHeader should return a Bearer token that works for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader();
|
|
if (authorizationHeader == null) {
|
|
throw new Error("Expected authorization header for signed-in user.");
|
|
}
|
|
expect(authorizationHeader).toMatch(/^Bearer\s+(stackauth_|hexclave_).+/);
|
|
const parsedAuthorizationHeader = parseAuthorizationHeaderValue(authorizationHeader);
|
|
const authJson = await clientApp.getAuthJson();
|
|
expect(parsedAuthorizationHeader).toEqual(authJson);
|
|
|
|
const requestLike = {
|
|
headers: new Headers({
|
|
authorization: authorizationHeader,
|
|
}),
|
|
};
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
});
|
|
|
|
it("getAuthHeaders should return headers that work for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authHeaders = await clientApp.getAuthHeaders();
|
|
const parsed = JSON.parse(authHeaders["x-stack-auth"]);
|
|
|
|
// Create a new server app using these tokens
|
|
const serverUser = await serverApp.getUser({ tokenStore: parsed });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
});
|
|
|
|
it("tokens from user should match and both work for authentication", async ({ expect }) => {
|
|
const { clientApp, serverApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" }) as any;
|
|
|
|
// Get tokens from different methods
|
|
const accessToken = await user.getAccessToken();
|
|
const refreshToken = await user.getRefreshToken();
|
|
const sessionTokens = await user.currentSession.getTokens();
|
|
const authJson = await user.getAuthJson();
|
|
|
|
// All should be consistent
|
|
expect(accessToken).toBe(sessionTokens.accessToken);
|
|
expect(refreshToken).toBe(sessionTokens.refreshToken);
|
|
expect(accessToken).toBe(authJson.accessToken);
|
|
expect(refreshToken).toBe(authJson.refreshToken);
|
|
|
|
// And they should all work for authentication
|
|
const serverUser1 = await serverApp.getUser({ tokenStore: { accessToken: accessToken!, refreshToken: refreshToken! } });
|
|
const serverUser2 = await serverApp.getUser({ tokenStore: sessionTokens as { accessToken: string, refreshToken: string } });
|
|
const serverUser3 = await serverApp.getUser({ tokenStore: authJson as { accessToken: string, refreshToken: string } });
|
|
|
|
expect(serverUser1).not.toBeNull();
|
|
expect(serverUser2).not.toBeNull();
|
|
expect(serverUser3).not.toBeNull();
|
|
|
|
// All should be the same user
|
|
expect(serverUser1!.id).toBe(serverUser2!.id);
|
|
expect(serverUser2!.id).toBe(serverUser3!.id);
|
|
});
|
|
|
|
// ============================================
|
|
// Legacy getAuthHeaders tests (deprecated but still need to work)
|
|
// ============================================
|
|
|
|
it("clientApp.getAuthJson should return auth tokens", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authJson = await clientApp.getAuthJson();
|
|
expect(authJson).toBeDefined();
|
|
expect(authJson.accessToken).toBeDefined();
|
|
expect(authJson.refreshToken).toBeDefined();
|
|
expect(typeof authJson.accessToken).toBe("string");
|
|
expect(typeof authJson.refreshToken).toBe("string");
|
|
});
|
|
|
|
it("clientApp.getAuthJson should return null tokens when not signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
|
|
const authJson = await clientApp.getAuthJson();
|
|
expect(authJson).toBeDefined();
|
|
expect(authJson.accessToken).toBeNull();
|
|
expect(authJson.refreshToken).toBeNull();
|
|
});
|
|
|
|
it("clientApp.getAuthorizationHeader should return Bearer header value", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader();
|
|
if (authorizationHeader == null) {
|
|
throw new Error("Expected authorization header for signed-in user.");
|
|
}
|
|
expect(authorizationHeader).toMatch(/^Bearer\s+(stackauth_|hexclave_).+/);
|
|
expect(parseAuthorizationHeaderValue(authorizationHeader)).toEqual(await clientApp.getAuthJson());
|
|
});
|
|
|
|
it("clientApp.getAuthorizationHeader should return null when not signed in", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader();
|
|
expect(authorizationHeader).toBeNull();
|
|
});
|
|
|
|
it("clientApp.getAuthorizationHeader should work with tokenStore option", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader({ tokenStore: "memory" });
|
|
if (authorizationHeader == null) {
|
|
throw new Error("Expected authorization header for signed-in user.");
|
|
}
|
|
expect(authorizationHeader).toMatch(/^Bearer\s+(stackauth_|hexclave_).+/);
|
|
expect(parseAuthorizationHeaderValue(authorizationHeader)).toEqual(await clientApp.getAuthJson({ tokenStore: "memory" }));
|
|
});
|
|
|
|
it("clientApp.getAuthHeaders should return x-stack-auth header", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authHeaders = await clientApp.getAuthHeaders();
|
|
expect(authHeaders).toBeDefined();
|
|
expect(authHeaders["x-stack-auth"]).toBeDefined();
|
|
expect(typeof authHeaders["x-stack-auth"]).toBe("string");
|
|
|
|
// Verify the header contains valid JSON
|
|
const parsed = JSON.parse(authHeaders["x-stack-auth"]);
|
|
expect(parsed.accessToken).toBeDefined();
|
|
expect(parsed.refreshToken).toBeDefined();
|
|
});
|
|
|
|
it("clientApp.getAuthHeaders should work with tokenStore option", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authHeaders = await clientApp.getAuthHeaders({ tokenStore: "memory" });
|
|
expect(authHeaders).toBeDefined();
|
|
expect(authHeaders["x-stack-auth"]).toBeDefined();
|
|
expect(typeof authHeaders["x-stack-auth"]).toBe("string");
|
|
|
|
// Verify the header contains valid JSON
|
|
const parsed = JSON.parse(authHeaders["x-stack-auth"]);
|
|
expect(parsed.accessToken).toBeDefined();
|
|
expect(parsed.refreshToken).toBeDefined();
|
|
});
|
|
|
|
it("clientApp.getAuthJson should work with tokenStore option", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authJson = await clientApp.getAuthJson({ tokenStore: "memory" });
|
|
expect(authJson).toBeDefined();
|
|
expect(authJson.accessToken).toBeDefined();
|
|
expect(authJson.refreshToken).toBeDefined();
|
|
expect(typeof authJson.accessToken).toBe("string");
|
|
expect(typeof authJson.refreshToken).toBe("string");
|
|
});
|
|
|
|
it("clientApp.signOut should sign out the user", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const userBefore = await clientApp.getUser();
|
|
expect(userBefore).not.toBeNull();
|
|
|
|
// clientApp.signOut delegates to user.signOut, which triggers redirect
|
|
// So we just verify it doesn't throw
|
|
// In a real scenario, this would redirect the browser
|
|
// For this test, we're just verifying the method exists and can be called
|
|
const authJsonBefore = await clientApp.getAuthJson();
|
|
expect(authJsonBefore.accessToken).not.toBeNull();
|
|
});
|
|
|
|
it("clientApp auth methods should match user auth methods", async ({ expect }) => {
|
|
const { clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const user = await clientApp.getUser({ or: "throw" });
|
|
|
|
// Compare getAuthJson results
|
|
const appAuthJson = await clientApp.getAuthJson();
|
|
const userAuthJson = await user.getAuthJson();
|
|
expect(appAuthJson.accessToken).toBe(userAuthJson.accessToken);
|
|
expect(appAuthJson.refreshToken).toBe(userAuthJson.refreshToken);
|
|
|
|
// Compare getAuthHeaders results
|
|
const appAuthHeaders = await clientApp.getAuthHeaders();
|
|
const userAuthHeaders = await user.getAuthHeaders();
|
|
expect(appAuthHeaders["x-stack-auth"]).toBe(userAuthHeaders["x-stack-auth"]);
|
|
|
|
// Compare getAuthorizationHeader results
|
|
const appAuthorizationHeader = await clientApp.getAuthorizationHeader();
|
|
const userAuthorizationHeader = await user.getAuthorizationHeader();
|
|
expect(appAuthorizationHeader).toBe(userAuthorizationHeader);
|
|
});
|
|
|
|
// ============================================
|
|
// Request-like tokenStore override tests
|
|
// (Critical for Bun middleware compatibility - GitHub issue #1144)
|
|
// ============================================
|
|
|
|
/**
|
|
* Helper to build a cookie string for a request-like object.
|
|
*/
|
|
function buildCookieHeader(cookies: Record<string, string>): string {
|
|
return Object.entries(cookies)
|
|
.map(([name, value]) => `${name}=${encodeURIComponent(value)}`)
|
|
.join("; ");
|
|
}
|
|
|
|
it("getUser should work with request-like tokenStore containing auth cookies", async ({ expect }) => {
|
|
// Use nextjs-cookie as default to simulate real middleware scenario.
|
|
// This ensures the fix prevents rscHeaders() from being called when an override is provided.
|
|
const { serverApp, clientApp } = await createApp({}, {
|
|
server: { tokenStore: "nextjs-cookie" },
|
|
});
|
|
|
|
// Create two different users
|
|
const userAEmail = `${crypto.randomUUID()}@user-a.test`;
|
|
const userBEmail = `${crypto.randomUUID()}@user-b.test`;
|
|
const password = "test-password-123";
|
|
|
|
// Sign up User A
|
|
await clientApp.signUpWithCredential({
|
|
email: userAEmail,
|
|
password,
|
|
verificationCallbackUrl: "http://localhost:3000",
|
|
});
|
|
await clientApp.signInWithCredential({ email: userAEmail, password });
|
|
const userA = await clientApp.getUser({ or: "throw" });
|
|
const userATokens = await userA.currentSession.getTokens();
|
|
await clientApp.signOut();
|
|
|
|
// Sign up User B and keep them signed in on clientApp
|
|
await clientApp.signUpWithCredential({
|
|
email: userBEmail,
|
|
password,
|
|
verificationCallbackUrl: "http://localhost:3000",
|
|
});
|
|
await clientApp.signInWithCredential({ email: userBEmail, password });
|
|
const userB = await clientApp.getUser({ or: "throw" });
|
|
|
|
// Verify the two users are different
|
|
expect(userA.id).not.toBe(userB.id);
|
|
|
|
// Verify serverApp's default nextjs-cookie store would fail outside Next.js context.
|
|
// without passing tokenStore override rscHeaders() would be called and fail.
|
|
await expect(serverApp.getUser()).rejects.toThrow();
|
|
|
|
// Build cookies with User A's tokens (Option B - use different user's tokens)
|
|
const refreshCookieName = `stack-refresh-${serverApp.projectId}--default`;
|
|
const refreshCookieValue = JSON.stringify({
|
|
refresh_token: userATokens.refreshToken,
|
|
updated_at_millis: Date.now(),
|
|
});
|
|
const accessCookieValue = JSON.stringify([userATokens.refreshToken, userATokens.accessToken]);
|
|
|
|
const cookieHeader = buildCookieHeader({
|
|
[refreshCookieName]: refreshCookieValue,
|
|
"stack-access": accessCookieValue,
|
|
});
|
|
|
|
// Create a request-like object with User A's cookies
|
|
const requestLike = {
|
|
headers: new Headers({
|
|
cookie: cookieHeader,
|
|
}),
|
|
};
|
|
|
|
// Call getUser with the request-like tokenStore
|
|
// This MUST read from requestLike because:
|
|
// 1. serverApp's default store is empty
|
|
// 2. clientApp has User B signed in, not User A
|
|
// 3. Only requestLike contains User A's tokens
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.id).toBe(userA.id); // Must be User A, not User B
|
|
expect(serverUser!.primaryEmail).toBe(userAEmail);
|
|
});
|
|
|
|
it("getUser should return null for request-like tokenStore with no auth cookies", async ({ expect }) => {
|
|
// Use nextjs-cookie as default to simulate real middleware scenario
|
|
const { serverApp } = await createApp({}, {
|
|
server: { tokenStore: "nextjs-cookie" },
|
|
});
|
|
|
|
// Create a request-like object with no auth cookies
|
|
const requestLike = {
|
|
headers: new Headers({
|
|
cookie: "",
|
|
}),
|
|
};
|
|
|
|
// Should return null, not throw
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
|
|
expect(serverUser).toBeNull();
|
|
});
|
|
|
|
it("getUser should work with Authorization header in request-like tokenStore", async ({ expect }) => {
|
|
const { serverApp, clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader();
|
|
if (authorizationHeader == null) {
|
|
throw new Error("Expected authorization header for signed-in user.");
|
|
}
|
|
expect(authorizationHeader).toMatch(/^Bearer\s+(stackauth_|hexclave_).+/);
|
|
expect(parseAuthorizationHeaderValue(authorizationHeader)).toEqual(await clientApp.getAuthJson());
|
|
|
|
const requestLike = {
|
|
headers: new Headers({
|
|
authorization: authorizationHeader,
|
|
}),
|
|
};
|
|
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
const clientUser = await clientApp.getUser({ or: "throw" });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
expect(serverUser!.id).toBe(clientUser.id);
|
|
});
|
|
|
|
it("getUser should work with record-style headers in request-like tokenStore", async ({ expect }) => {
|
|
const { serverApp, clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const authorizationHeader = await clientApp.getAuthorizationHeader();
|
|
if (authorizationHeader == null) {
|
|
throw new Error("Expected authorization header for signed-in user.");
|
|
}
|
|
|
|
const requestLike = {
|
|
headers: {
|
|
Authorization: authorizationHeader,
|
|
Cookie: null,
|
|
},
|
|
};
|
|
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
const clientUser = await clientApp.getUser({ or: "throw" });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
expect(serverUser!.id).toBe(clientUser.id);
|
|
});
|
|
|
|
it("getUser should work with x-stack-auth header in request-like tokenStore", async ({ expect }) => {
|
|
const { serverApp, clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
// Get the auth headers from the signed-in user
|
|
const authHeaders = await clientApp.getAuthHeaders();
|
|
|
|
// Create a request-like object with x-stack-auth header
|
|
const requestLike = {
|
|
headers: new Headers({
|
|
"x-stack-auth": authHeaders["x-stack-auth"],
|
|
}),
|
|
};
|
|
|
|
// Call getUser with the request-like tokenStore
|
|
const serverUser = await serverApp.getUser({ tokenStore: requestLike });
|
|
const clientUser = await clientApp.getUser({ or: "throw" });
|
|
|
|
expect(serverUser).not.toBeNull();
|
|
expect(serverUser!.primaryEmail).toBe("test@test.com");
|
|
expect(serverUser!.id).toBe(clientUser.id);
|
|
});
|
|
|
|
it("getUser with tokenStore override should not affect the app's default token store", async ({ expect }) => {
|
|
const { serverApp, clientApp } = await createApp({});
|
|
await signIn(clientApp);
|
|
|
|
const clientUser = await clientApp.getUser({ or: "throw" });
|
|
|
|
// Get user via serverApp with explicit tokenStore override
|
|
const tokens = await clientUser.currentSession.getTokens();
|
|
const serverUserWithOverride = await serverApp.getUser({
|
|
tokenStore: { accessToken: tokens.accessToken!, refreshToken: tokens.refreshToken! },
|
|
});
|
|
|
|
expect(serverUserWithOverride).not.toBeNull();
|
|
expect(serverUserWithOverride!.id).toBe(clientUser.id);
|
|
|
|
// serverApp's default token store (memory) should still be empty
|
|
// since we used an override, not the default
|
|
const serverUserDefault = await serverApp.getUser();
|
|
expect(serverUserDefault).toBeNull();
|
|
});
|